Yahoo: US wanted data on 40,000 accounts in first half of 2013

Yahoo has now joined the transparency party, disclosing for the first time on Friday the number of requests (PDF) for user data that it received from law enforcement and other government agencies worldwide. Facebook shared its figures for the first time late last month, following other companies like Twitter, Google, and Microsoft.

Not surprisingly, the United States leads Yahoo's list by far. The company reported that during the first half of 2013, American authorities made 12,444 requests of 40,322 accounts. Yahoo handed over content in 37 percent of cases, whereas in 55 percent of the cases, the company handed over only “non-content data” (NCD), which includes:

basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from e-mail headers).

By contrast, the next highest requests came from Germany, which made 4,295 requests of 5,306 accounts. The smallest nation that Yahoo provided data for was New Zealand, which made nine requests on nine accounts, and in five of those accounts, Yahoo shared content. The search company also said that it would break out requests for Tumblr data separately in the future.

Notably, Yahoo says its numbers "include all types of government data requests such as criminal law enforcement requests and those under US national security authorities, including the Foreign Intelligence Surveillance Act (FISA) and National Security Letters (NSLs), if any were received."

“Our legal department demands that government data requests be made through lawful means and for lawful purposes,” Ron Bell, Yahoo’s general counsel, wrote on Friday. “We regularly push back against improper requests for user data, including fighting requests that are unclear, improper, over-broad, or unlawful. In addition, we mounted a two-year legal challenge to the 2008 amendments to the Foreign Intelligence Surveillance Act and recently won a motion requiring the US Government to consider further declassifying court documents from that case.”

51 Reader Comments

We know now the feds have 1000 different ways to get our private data. About 950 of them are illegal. But that doesn't stop them from using legal methods as well. It's like a criminal who stockpiles weapons for a variety of crimes. Yes, many of them might be illegal...many stolen guns or he might have some grenades, illegal assault rifles, anti-aircraft missiles and on and on. But that doesn't stop him from going in and just legally buying some guns.

The NSA thinks the country consists of the people. But the country is its values. The USA is the constitution and all it stands for. If you lose that you lose the USA. You have a bunch of people here but the country is gone.

They need to keep the country safe, which means protecting the constitution not flagrantly violating it for some other purpose. Protecting it is the purpose.

Wait, Yahoo HAS 40,000 accounts? I didn't realize they were ever still around. I thought it was all about Bing vs Google.Well, good for them. I might even stop by there tonight... or tomorrow. Maybe later...

There are quite a few Yahoo! accounts, actually. Their email service is actually quite compatible with all the different smartphone OS/apps out there, including folder support (very spammy though). Also, Yahoo allows for comments from account holders on pretty much all their news articles, and many of those comments suggest strong displeasure with the US government as a whole. Nothing that sounds like citizen revolt or terrorism, but it's a little hard to tell exactly what kind of comments make you part of the dragnet. Mostly, it's just the usual angry, anonymous internet speech you see in many places.

Wait, Yahoo HAS 40,000 accounts? I didn't realize they were ever still around. I thought it was all about Bing vs Google.Well, good for them. I might even stop by there tonight... or tomorrow. Maybe later...

You know Yahoo has become so irrelevant when articles like this one that normally gets over 100 comments in less than an hour and yet this one only has nine just because it's about Yahoo!.

I don't have a problem with lawful warrants for information that can be used in actual trials and that. Forty thousand sounds like a fairly low number for a large country like the USA. Five thousand sounds like a fairly okayish number for a large country like Germany.

If someone is a suspect of a crime, and law enforcement can show probably cause to a judge that a person may commit crimes and that data about the crime may be in his spambucket email account, then it seems okay to me.

It's the other stuff that sets my teeth on edge. And, if they get NSL:s can they actually say anything about how many accounts are targeted by the NSL? Wouldn't that be to indirectly comment on the scope of the NSL?

How can there be so many requests from one single company? Are there really like millions terrorists worldwide or they are requesting data for other suspects of other things as well?

Because if you count all requests from all companies that number would be quite huge. Or are these requests like fishing? Which would make it even worst as data from innocent by standers is shared.

I find it disgusting that all this companies now try to be "transparent" but just now that things blow up, why did they not come up with this "transparency" reports before? Why just now when all this NSA bomb hit the media?

If it was not for that, we would not see any of this reports at all. To be honest I don´t even blame the government for requesting data but this companies that pretend to be something they are not.

Some people here said, that most accounts are fake so numbers are ok, but isn't that even worst? Which means they request data without evidence at all that a specific account is linked to something suspected terrorist? Also Yahoo has almost no email accounts, so how big must this number be for Gmail, Hotmail, etc. Pretty much huge....

Yeah but the real issue at this point is in all likelihood Skype has been compromised along with Office 365, Google Drive, SSL and other MS and Google implemented technologies. I'd bet the disclosures referenced above are nothing compared to scope of things that have been compromised either due to coercion or cooperation.They hope to hell telling you how many request they actually received re: email, or with a break down oh my, will distract you from wondering about everything else they offer.

So was that 40,000 separate requests, or 1 suspect with 3 degrees of separation.I recently was 1st hand an instance of a friend of mine being victimized as a result of one of these investigations ... Someone I've known for over 40 years... We are all still spinning from the disgusting behavior all around... At least they named their source and what they wanted...

FYI - lord of the flies (60s video) is now considered paedophilia. Well, fuck me!?!?!

How can there be so many requests from one single company? Are there really like millions terrorists worldwide or they are requesting data for other suspects of other things as well?

Because if you count all requests from all companies that number would be quite huge. Or are these requests like fishing? Which would make it even worst as data from innocent by standers is shared.

I find it disgusting that all this companies now try to be "transparent" but just now that things blow up, why did they not come up with this "transparency" reports before? Why just now when all this NSA bomb hit the media?

If it was not for that, we would not see any of this reports at all. To be honest I don´t even blame the government for requesting data but this companies that pretend to be something they are not.

Some people here said, that most accounts are fake so numbers are ok, but isn't that even worst? Which means they request data without evidence at all that a specific account is linked to something suspected terrorist? Also Yahoo has almost no email accounts, so how big must this number be for Gmail, Hotmail, etc. Pretty much huge....

Well there is that "hop" notion. So you get the email of John Doe, then his associates (first hop) like Jane Doe (wife), Jack Doe (cousin of John), yada yada yada (second hop) Jane's sister Sandra yada yada yada (third hop) Frank (brother of Sandra).

Forty thousand sounds like a fairly low number for a large country like the USA. Five thousand sounds like a fairly okayish number for a large country like Germany.

The US issued 8 times more requests than Germany, however the population of 'the large' US isn't 8 times bigger than Germany's. It's more like 5 times, roughly. So the US already issued far more requests per capita, despite your estimate of it being a low-ball number. Murricans should therefore be glad the ratio isn't even worse...

I doubt there are 40k terrorists in the world. Oh, but I guess all terrorists are on yahoo....

Depends upon one's definition of terrorist, which is a word that's vastly expanded in use in the last 15 years. Plus, one must consider that this is the US government, not just the CIA/NSA. The FBI pursues plenty of people that are not terrorists by pretty much any measure, and would be included in this case.

As for numbers, Wikipedia lists al-Qaeda and associated groups alone as being estimated to have at least 9,300 members (mostly in Syria, unsurprisingly) and that figure is based on a bizarrely low 50-100 in Afghanistan, a figure that comes from an article that questions the validity of the figure (it does mention that most are thought to be in Pakistan's tribal areas, which is a strategically sound place for al-Qaeda to operate from, at least). Colombia's FARC has another 8-10K. Suffice to say there are plenty more than 40,000 terrorists in this world of over 7,000,000,000 people.

Forty thousand sounds like a fairly low number for a large country like the USA. Five thousand sounds like a fairly okayish number for a large country like Germany.

The US issued 8 times more requests than Germany, however the population of 'the large' US isn't 8 times bigger than Germany's. It's more like 5 times, roughly.

It's actually more like 4 times, precisely. (316m vs 80m)

What I find interesting is that the US has a request-account ratio of 1:3.2, Germany has 1:1.2 and NZ has 1:1. Maybe the Feds just stock up on requests for convenience's sake, or they cast a very wide net.

Also, Yahoo seems to get more requests than Google (8000 requests for 15000 accounts in 2011) and Microsoft (7000/32000 for 1st half of 2013 - look at that ratio!).

If you calculate the requests per day/hour, these companies must have a bunch of dedicated employees just for the task of handing over data. Yahoo gets like 272 requests per day. Everytime somebody *hopefully* checks the legality and the scope and then prepares and transfers the data.

We should remember, though, that the vast majority of these are most likely criminal investigation requests and probably legit. Like when you buy something on eBay and the seller doesn't ship, you press charges, so the police asks eBay for the account information, whatever email-provider he has registered with for those account info and so forth.

I can see the extreme request-account ratio of Yahoo and MS coming from the NSA though. They are most likely to request data on every email account a suspect was in contact with.

So was that 40,000 separate requests, or 1 suspect with 3 degrees of separation.I recently was 1st hand an instance of a friend of mine being victimized as a result of one of these investigations ... Someone I've known for over 40 years... We are all still spinning from the disgusting behavior all around... At least they named their source and what they wanted...

FYI - lord of the flies (60s video) is now considered paedophilia. Well, fuck me!?!?!

In what country? Because it's shown in high school English classes in the US. I remember the book being banned in Canadian schools though at one point, but don't think there was anything specific about the movie.

basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from e-mail headers).

That's a hell of a lot of information they declare as "non-content." Yes, I understand that means no subject line (wow! how redacting of them!) or actual content of emails (so they say) or any other content they may have and hold on users, but there is a fucking hell of a lot of information in that "non-content data" about a person they pass along!

I know many people who have yahoo email accounts. Last I heard they were the third largest email provider worldwide and they weren't at all far behind the most popular two. Indeed in some countries they were the second place. So I have reason to doubt your claim.

I think the cloud bubble is about to burst, or a least move off shore. Privacy and terms of service with cloud services are not honoured when governments steps in. It's time to go back to hosting your own services, on hardened hosts. When they come for your data at least you'll know about it.

I know many people who have yahoo email accounts. Last I heard they were the third largest email provider worldwide and they weren't at all far behind the most popular two. Indeed in some countries they were the second place. So I have reason to doubt your claim.

Do you have an stats to back it up?

It was about a year ago that Gmail overtook Hotmail as the largest e-mail provider. Looking at the numbers in that article the difference in raw numbers seem unimportant: They are all three huge providers. So, no, that guy will never provide any source.

Anecdotal: I'm a Google Apps user myself, but I have enough contacts using Yahoo (and Outlook/Hotmail) that those two combined actually overtakes Gmail in numbers in my address book.

not to take any side here really, but to clarify to people pointing out yahoo's relative irrelevance, they are owned by att and are effectively att's email division at this point, so.. pretty relevant if you ask me.

also, these requests are total law enforcement requests, so not only anti-terror but also anti-child porn, anti-weapons smuggling, anti-illegal gambling, tax evasion, blah blah bob loblaw. so, 40k reqs... not hard to believe. at all.

and i for one do not have a problem with them ponying up with the disclosure of the number and scope of requests at this juncture. this is a big step in the right direction. the .gov scared the panties off these companies with nsl's and now they are starting to peek out of their holes, figuring out what's ok and what's not ok to say. it's all part of the process, and moving in the right direction afaic.

The principal concern with this revelation is the fact that it must be revealed. These requests should be a matter of record. At least there is some semblance of a judicial process, even if it is a kangaroo court.

I am far more concerned by the NSA/GCSB's ability to hoover up data directly off the wire combined with their capacity for cracking/weakening encryption. Thats just an intra-venous feed tube for an insatiable self-perpetuating monster.

I doubt there are 40k terrorists in the world. Oh, but I guess all terrorists are on yahoo....

Depends upon one's definition of terrorist, which is a word that's vastly expanded in use in the last 15 years. Plus, one must consider that this is the US government, not just the CIA/NSA. The FBI pursues plenty of people that are not terrorists by pretty much any measure, and would be included in this case.

As for numbers, Wikipedia lists al-Qaeda and associated groups alone as being estimated to have at least 9,300 members (mostly in Syria, unsurprisingly) and that figure is based on a bizarrely low 50-100 in Afghanistan, a figure that comes from an article that questions the validity of the figure (it does mention that most are thought to be in Pakistan's tribal areas, which is a strategically sound place for al-Qaeda to operate from, at least). Colombia's FARC has another 8-10K. Suffice to say there are plenty more than 40,000 terrorists in this world of over 7,000,000,000 people.

And OF COURSE they all use Yahoo!

You have to wonder just how much Internet access these terrorists have. FARC members live in the jungle. The DSL to Pakistani tribal areas is presumably spotty. ;-)

I was about to say "[citation needed]" but really I should just say that's flat out wrong and have no idea where you would even get that idea.

yes, indeed, i said that wrong. it's a weird partnership actually i don't fully get, but my point was, att's email customers are now largely served by yahoo's brand, and there are a lot of them. but point taken.

wikip:

AT&T Yahoo! is an information service sold by AT&T Internet Services. It is a partnership between AT&T and Yahoo! to provide co-branded dial-up and DSL Internet service.

Stepping back a second, I can imagine there are at least 40,000 comments on the Internet worthy of law enforcement investigation, calling for rape and murder and violence... You know, crime. We don't see it much on Ars, thankfully, but holy crap, the Internet is an ugly, ugly place in some corners.

I don't have a problem with officials looking into all that.

The only problem I really have is trusting the objectives of all these requests. Government officials at every level have a credibility problem. If we had any way of knowing what these requests were all about, maybe the reasons are good. But without knowing, what are we to assume?

I second the call above for mandatory reporting from both sides. In a society that loves to preach on about "holding people accountable," you'd think such an idea would be more popular.

/snip/but holy crap, the Internet is an ugly, ugly place in some corners.

I don't have a problem with officials looking into all that. /snip

You mean like nerds raging about that female writer for Mass Effect 3 and how they sent her death threats? Want to know the real threat potential? ZERO. Every single one of those death threats came from either pubescent 15 year olds or 30 year old neckbeards who would run out of breath going up a McDonalds wheelchair ramp. Ugly, yes. A threat? Only in pixels.

I doubt there are 40k terrorists in the world. Oh, but I guess all terrorists are on yahoo....

The article clearly states that the 40K requests include regular law enforcement requests as well as those of intelligence agencies. This is also an aggregate number of requests from governments and their subordinate organizations from around the world. To say they're all related to terrorism is unquestionably ridiculous. Furthermore, why would you assume the sole charge of the intelligence community is counterterrorism? In no nation is this the case. Stop muddying the waters of an important and much needed debate with immature and unreasonable commentary. Statements like this only help to prevent any reasonable and needed discussion on reforms to intelligence norms.

I doubt there are 40k terrorists in the world. Oh, but I guess all terrorists are on yahoo....

The article clearly states that the 40K requests include regular law enforcement requests as well as those of intelligence agencies. This is also an aggregate number of requests from governments and their subordinate organizations from around the world. To say they're all related to terrorism is unquestionably ridiculous. Furthermore, why would you assume the sole charge of the intelligence community is counterterrorism? In no nation is this the case. Stop muddying the waters of an important and much needed debate with immature and unreasonable commentary. Statements like this only help to prevent any reasonable and needed discussion on reforms to intelligence norms.

Uh, too much coffee for you today?

Get a clue. The vast majority of crime is people whacking each other, grabbing stuff, and occasionally whacking then grabbing. You really don't need cyber sleuthing.

Further, the vast majority of yahoo accounts are cut outs. In fact, people have started and dumped yahoo accounts to such a degree that yahoo is now recycling user names.

How can there be so many requests from one single company? Are there really like millions terrorists worldwide or they are requesting data for other suspects of other things as well?

Because if you count all requests from all companies that number would be quite huge. Or are these requests like fishing? Which would make it even worst as data from innocent by standers is shared.

I find it disgusting that all this companies now try to be "transparent" but just now that things blow up, why did they not come up with this "transparency" reports before? Why just now when all this NSA bomb hit the media?

If it was not for that, we would not see any of this reports at all. To be honest I don´t even blame the government for requesting data but this companies that pretend to be something they are not.

Some people here said, that most accounts are fake so numbers are ok, but isn't that even worst? Which means they request data without evidence at all that a specific account is linked to something suspected terrorist? Also Yahoo has almost no email accounts, so how big must this number be for Gmail, Hotmail, etc. Pretty much huge....

yahoo is still very big in other markets. last i looked, yahoo was number one email provider ahead of gmail, but these things changed so who knows.

onto why companies now release transparency reports; you could say now, it's out of necessity. prior, they were held back by gag orders and what not. they couldn't even reveal or admit things or involvement. I'm sure their lawyers figured out a way to make these reports in a legal manner because as i understood it, the court orders forbade them to even say there was a government request.

I'm surprised they are even allowed to do these reports. and frankly, prior to the leaks, ppl just didn't care. now they do.

I doubt there are 40k terrorists in the world. Oh, but I guess all terrorists are on yahoo....

I do not know if you're right, but think about it: less than say 250k people have effectively eroded the privacy and basic rights of most of worlds billions of free citizens. They turned the sheepdogs on the sheep.

I doubt there are 40k terrorists in the world. Oh, but I guess all terrorists are on yahoo....

Really? I'd imagine there are probably 40,000 terrorists in the US alone. Remember, not all terrorists kill people, and a lot of terrorism is not even illegal, or at least not prosecutable. Organized, continuous harassment is a form of terrorism, and the anti-abortion movement in the US probably has at least 40,000 members on its own who have engaged in low-level terrorism. That's ignoring the various ecoterrorist groups and religious terrorism groups and the racist groups, which probably contribute several thousand members each.